Passionate about IP! Since June 2003 the IPKat weblog has covered copyright, patent, trade mark, info-tech and privacy/confidentiality issues from a mainly UK and European perspective. The team is David Brophy, Birgit Clark, Merpel, Jeremy Phillips, Eleonora Rosati, Darren Smyth, Annsley Merelle Ward and Neil J. Wilkof. You're welcome to read, post comments and participate in our community. You can email the Kats here

For the half-year to 30 June 2015, the IPKat's regular team is supplemented by contributions from guest bloggers Suleman Ali, Tom Ohta and Valentina Torelli.

Regular round-ups of the previous week's blogposts are kindly compiled by Alberto Bellan.

Monday, 10 February 2014

Can ISPs - notably hosting providers - be liable for the illicit treatment of personal data committed by users of their services?This intriguing question has been at the centre of a legal saga that has unfolded before Italian courts (Milan Court of First Instance[for an analysis of first instance proceedings, seehere], Milan Court of Appeal, and Court of Cassation) over the past few years.According to Advocate General (AG) Jaaskinen's recent Opinion in Case C-131/12 Google Spain, although it is true that an ISP (an internet search engine service provider in this case, =Google) ‘processes’ personal data, this cannot be considered as ‘controller’ of the processing of such personal data.

In December last, the Court of Cassation (Italy's supreme court) concluded in the same sense as this Kat's favourite AG, holding that a hosting provider (again, =Google) was not liable for the illicit treatment of personal data committed by users of its service. This Kat is reporting this story only now, because the Court made available its extended judgment only a few days ago.

Is this sufficient or do ISPs also have to inform usersof their data protection obligations?

BackgroundIn September 2006 a video showing a disabled student being verbally and physically abused by three of his fellow school mates was uploaded on Google Videos. This video was viewed so many times that it became both the most popular video in the 'Funny Videos' section and one of the most downloaded videos on Google Videos. It was only in November that year that Google removed the video, following a request from the Italian Postal Police.ViviDown, an Italian charity that promotes scientific research and the safeguard of people with Down syndrome, and the father of the bullied student brought criminal proceedings against both the authors of the video and three Google executives. In particular as regards the latter, it was claimed that Google had failed to inform the users of its video platform about their data protection obligations. In addition, also considering how preeminent this video which unduly disclosed personal (health) data of the subject represented therein had become, Google must certainly have knowledge of its illicit nature, and yet had done nothing to remove it from its platform.In 2010 the Milan Court of First Instance held the three Google executives criminally liable pursuant to Article 167 of the Italian Data Protection Code, ie illicit treatment of personal data. In 2012 the Milan Court of Appeal overturned the first instance decision, and held that that the Google executives had committed no criminal offence, on consideration that (1) Article 167 does not impose any obligation on ISPs to inform users about their data protection obligations, and (2) Google executives had no prior knowledge of the illicit nature of the video. The Court of Cassation upheld the ruling of the Court of Appeal, reasoning as follows.

A likely instanceof illicit treatment of personal data

What the Court of Cassation saidThe Court analysed the relevant legislative framework, including the Data Protection Code and the legislative decree by which Italy implemented the Ecommerce Directive, and concluded that:

There is no general obligation on ISPs to monitor the information and data provided by third parties.

There is no obligation on ISPs (having a criminal nature) to inform the subject who has provided the data about his/her obligations under data protection laws. This is because an ISP cannot be consider itself as a personal data controller within Article 167 of the Data Protection Code. A personal data controller is only the subject who has the power to determine the objectives and means through which the treatment of personal data is due to take place and, as a consequence, is required to manage the risks associated with such treatment and obtain the consent required from interested parties.

A hosting provider merely stores information provided by recipients of its service. As such, it has neither control over the data stored nor contributes in any way to their selection or management. Pursuant to Article 14 of the Ecommerce Directive, liability of a hosting provider may arise only where: (a) it does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or (b) upon obtaining such knowledge or awareness, it acts expeditiously to remove or to disable access to the information.

This means that, even in the context of data protection obligations, until the ISP obtains knowledge of the illicit nature of the information it stores, it cannot be considered as a personal data controller. Of course, as soon as the ISP becomes aware of the illicit nature of such information, it has an obligation to remove or make such information inaccessible. If it fails to do so, the ISP can be considered as a personal data controller and, as such, be subject to relevant obligations and sanctions under the Personal Data Code.

Although the protection of individuals with regard to the processing of personal data is governed by specific directives [Directive 95/46/EC and Directive 97/66/EC, although EU Commission is currently engaged in comprehensive reform of data protection rules] and not the Ecommerce Directive [see recital 14], the latter serves to clarify further the relevant legislative framework applicable to data protection and privacy.

The IPKat's sidebar contents

Want to complain?If you feel that you have been unfairly prevented from posting a comment on one of this weblog's features, here's what you can do about it

The IPKat's cousins: some IP-friendly blogs for youThe IPKat lists his 'family' of IP blogs, some of which focus on specific rights, geographical zones, markets or interests

How many page-views?See how many times the pages of the IPKat weblog have been purr-viewed

The Kat that tweetsToo short to blog? Some news and views are still worth airing, thanks to Twitter

Want to receive the IPKat weblog by email?You can get each post, or a digest, sent direct to your favourite mailbox

Not just any old IPKatEvery so often, this feline creeps into the limelight

The IPKat's RSS feeding arrangementsFeedburner and all those other things ...

What you've been sayingHere are the most recent readers' comments on the IPKat's posts

The IPKat's Greatest Hits!Here are the five posts on the IPKat's weblog that have received the most attention from readers over the past 30 days

Has the Kat got your tongue?Some translation facilities for readers whose first language is not English, or who are just plain masochistic

Creative Commons licenceYou too can make use of this blog's contents, if you follow the rules

The IPKat ArchiveAncient posts, going back to June 2003

Want to complain?

If you have posted a comment to one of our blogposts and it hasn't appeared, it may be because it doesn't match our criteria for moderation -- essentially that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should be relevant to the blogpost on which they purport to comment.

If you feel that your comment should have been moderated, please email the IPKat at theipkat@gmail.com and let him know, since it may be that your comment has been misdirected into the Blogger software's Spam file.

In the event that there has been no software malfunction and that your post has been rejected, if you want to appeal against this decision please contact either (i) Dr Danny Friedmann of theIP Dragonweblog (ipdragon@gmail.com) or (ii) Professor Dennis Crouch of the Patently-O weblog (dcrouch@patentlyo.com). Danny or Dennis will review your complaint, preserving the confidentiality of your identity and will let both you and us know whether your complaint is justified.

If your complaint relates to bias or distortion, the IPKat suggests that you contact him initially, bearing in mind that he and Merpel are generally willing to host pieces by guest contributors even when their opinions are at odds with those of this blog's contributors.